F
FromTheRafters
Kelsey Bjarnason said:
Viruses don't depend on software flaws. Even if MS's code
were flawless - viruses could still exist and create a desire
for anti-virus measures.
Viruses don't depend on software flaws. Even if MS's code
were flawless - viruses could still exist and create a desire
for anti-virus measures.
S
Sugien
Kelsey Bjarnason said:
Virus are just programs that someone has written. I suppose if someone
opens a dos prompt and types without the quotes "format c: /u" that
Microsoft should have to pay to replace the data? I guess to a certain
extent you could call just about all virus/worm/malware an abuse of a
functionality, like what Microsoft said about my newsbug code which when the
web page is opened or if used as stationary in OE (with certain security)
starts creating bunches of bogus news groups in OE until OE crashes and then
the user has to manually delete each and every account.
--
Paul M. Bryant Sr. Owner
/}
@###{ ]:::::
ino-Soft Software::::::>\}
http://www.dino-soft.org
K
kurt wismer
Black said:
yes, and if one of those reasons happens to be that the person has
become a victim of FUD then it's probably a good idea that someone
point it out...
ok well, believe this - the av market is very competitive and if one
company could use info like this against another company it would...
any company that tried to get cozy with the virus writers would get
roasted, it would be commercial suicide...
and nowadays you don't really have to speculate about virus writers
getting support from anti-virus companies - it's become readily
apparent that virus writers are in league with the spammers instead...
J
JT
The reality is that most virus DO exist because of flaws in MS code or MS
lack of security in the OS model. Without the ActiveX flaws, 99% of all
virus would not exist. Add security flaws, such as the RPC exploit that
allowed Blaster, and you have most of the rest. Without ActiveX, you reduce
the need for AV greatly. Close the ports and unneeded services that MS
leaves lying around by default and you eliminate most of the rest. Those 2
steps would reduce the AV industry from a 2 Billion dollar a year industry
to one of probably 2 Million dollars.
There will always be attempts at exploits. Phishing and other "human
engineered" exploits attack the weakest part of any security system, the
human part. Why make it easier for the bad guys than it has to be.
JT
O
optikl
Kelsey said:
You're confusing vulnerabilities in the M/S Windows oS, which can be
exploited with malicious code programs, with viruses, in general. How do
you account for the fact there are viruses written for other OSes? Is it
all just shitting coding and lack of security?
O
optikl
JT wrote:
What about Trojans and backdoors? Not all malware takes advantage of
ActiveX? What if you have ActiveX totally disabled but execute a program
you think, or have been told, is a game?
Add security flaws, such as the RPC exploit that
You just said 99% of viruses are due to ActiveX flaws. Now, you're
saying something different. It doesn't take you but 2 sentences to
change your mind.
Close the ports and unneeded services that MS
You just whip these statistics out of your head?
what is your point?
What about Trojans and backdoors? Not all malware takes advantage of
ActiveX? What if you have ActiveX totally disabled but execute a program
you think, or have been told, is a game?
Add security flaws, such as the RPC exploit that
You just said 99% of viruses are due to ActiveX flaws. Now, you're
saying something different. It doesn't take you but 2 sentences to
change your mind.
Close the ports and unneeded services that MS
You just whip these statistics out of your head?
Your last sentences contradicts, not supports your initial point. Just
what is your point?
B
BoB
Not being an XP user, I won't even ask why. It is nice to hear a
positive statement about XP.
BoB
B
BoB
From that additional info it is obvious you should experience no
real problems in the virus arena. Same here, I'm enjoying Firebird
and looking forward to Firefox when it becomes relatively bug free.
I scan after each update of Adaware but never find a thing. There
is no excuse for anyone to become infected with virus' or spyware.
BoB
J
JT
Then you are not talking VIRUS anymore. Malware for sure. Fixing the
security model even reduces the problem with trojans and backdoors. If the
average user doesn't have access to the total machine, then most backdoors
can't function, because they don't have the rights to what they want to do.
And trojans will be limited to affecting a limited part of the machine that
is controled by the user, not reeking global havoc. Of course this is
assuming a flawless OS with a Perfect security model
No mind change here. A reading comprehension problem on your end. That
sentence means, of the 1% of VIRUS left over (that is what most of the REST
means), the majority exploit the poor security model of windows. Make it
simple. 1000 virus 990 will probably be activex. 7 will probably be OS
weakness.
Not a statistic, an estimate. The 2 Billion figure was from your quote. I
Estimate that the problem would be 1000 times less severe, therefore the 2
Million estimate. Instead of 1000 virus (an example, not a hard number)
being in the wild, you are down to 2 or 3. Much more manageable problem.
About 1000 times less costly.
The post I replied to said
My point is that the vast majority of virus DO in fact depend on software
flaws. The complexity of the problem when the software is not so easily
exploitable is beyond the capability of crackers and script kiddies. If the
software was flawless (not going to happen in any OS) then you have killed
the market for AV products.
JT
J
JT
Virus have always depended on the vulnerabilities of the software and the
security of the systems they are attacking with very few exceptions. Go to
any virus database or security advisory. They are exploiting a weakness.
If not activex, then unchecked buffers or insecure automation features.
Started that way in the early MSDOS and AppleII days when virus were young.
The exploits that have happened recently against other OS such as Linux and
Apples OS/X have been exploits of software or security configuration
errors. As an exercise, find a Virus or worm (not a phishing/human
engineering exploit that tricks a user into running a program that erases
his hard disk thinking it was a free game) that does not exploit such a
weakness in all the online virus information. Just get me a couple out of
the thousands that are out there. Something recent would be nice, but I am
not picky
JT
F
FromTheRafters
JT said:
Maybe they are widely successful in part due to flaws in code
and/or flaws in design, but they (viruses) are not dependent on
them. Worms may be more dependent on this than viruses are,
but even without worms you would still need AV products.
I doubt that figure, but I see your point - which has little to do
with viruses or with the belief that the desire for AV programs
would disappear if coding errors were nonexistant. "viruses"
do not depend on coding errors in order to function.
[snip]
Makes one wonder how viruses managed to exist before
ActiveX and Java did. ;o)
Kind of a general security related thing really - meaningless to
viruses though.
They would spend less time chasing down the latest and greatest,
and maybe have time to direct their creativity toward other security
related utilities. But, they don't owe their existence to any company's
faulty code or any errors in general. There *will* be viruses, and the
desire to identify them.
True, but lack of flaws in software (designwise or codewise) does
not make AV go away. Perhaps as we move away from general
purpose computing to special purpose computing this will change.
R
Ron & Ree
There are more ways for a virus to get on your system than using a browser
or mail program, which is what you are talking about. How about purchasing
commercial software at a store?
I bought 2 digital photo CD's that had the diehard virus on them.
Here are some other examples that don't rely on a software exploit to get on
your system, just you installing a program you normally would not even think
about having a virus:
http://www.sophos.com/virusinfo/articles/dreamcast.html
http://www.techweb.com/wire/story/TWB19980827S0011
http://gamesdomain.yahoo.com/pc/warner_bros_the_powerpuff_girls_meet_the_beatalls
or mail program, which is what you are talking about. How about purchasing
commercial software at a store?
I bought 2 digital photo CD's that had the diehard virus on them.
Here are some other examples that don't rely on a software exploit to get on
your system, just you installing a program you normally would not even think
about having a virus:
http://www.sophos.com/virusinfo/articles/dreamcast.html
http://www.techweb.com/wire/story/TWB19980827S0011
http://gamesdomain.yahoo.com/pc/warner_bros_the_powerpuff_girls_meet_the_beatalls
R
Ron & Ree
What about Trojans and backdoors? Not all malware takes advantage of
replicates itself. It does not even have to be "malware."
I think you are confused about what a virus is. It is a program that
replicates itself. It does not even have to be "malware."
F
FromTheRafters
JT said:
Strictly speaking, neither were you (but *I* was). The basic
idea of "virus" is not constrained by needing to use *any*
software flaws whatsoever.
Malware for sure. Fixing the
security model even reduces the problem with trojans and backdoors. If the
average user doesn't have access to the total machine, then most backdoors
can't function, because they don't have the rights to what they want to do.
And trojans will be limited to affecting a limited part of the machine that
is controled by the user, not reeking global havoc. Of course this is
assuming a flawless OS with a Perfect security model
Which is quite an assumption.;o) Worms may need to exploit *something*
whether it is code (buffer overflow), design (known resources in a known
location i.e. *.wab), or peoples desire to be loved. However, a virus need
not do anything to get through your security perimeter unless your security
model includes safeguards specific to malware that hides within programs.
The fact that an integrity checking application or utility isn't bundled with
a particular OS isn't really a flaw in software or design, and such an app
won't 'identify' the culprit responsible - and that is AV's strength.
[snip]
Could you explain? Are you using the term "virus" to include all
self-replicating malware? If so, this is yet another reason to draw
a distinction between the two terms "worm" and "virus". A "virus"
is not something that depends on a flaw in software - it depends
on the same things that the user depends on to get work done.
If you remove access to the methods it uses, you no longer have
a useful machine for the user either.
Not true, because if you remove the so-called 'flaws' that a virus
uses - you have removed the machines usefulness as well. Yes,
there may come a time when users will say, "gee - remember back
when there were computer viruses?" - but I don't think they will be
using general purpose computers like we are.
O
optikl
JT said:Then you are not talking VIRUS anymore. Malware for sure. Fixing the
security model even reduces the problem with trojans and backdoors. If the
average user doesn't have access to the total machine, then most backdoors
can't function, because they don't have the rights to what they want to do.
And trojans will be limited to affecting a limited part of the machine that
is controled by the user, not reeking global havoc. Of course this is
assuming a flawless OS with a Perfect security model
The same *can* be said about viruses. Not all viruses rely on ActiveX.
I may have a reading comprehension problem, but you appear to be very
loose with your estimating skills. How about some proof statements for
the 99%?
My quote? You mean the words I pasted in the text of my post, that were
attributable to....I thought it was you. No? Maybe someone else?
Certainly, I've never estimated that number.
Instead of 1000 virus (an example, not a hard number)
Vast Majority? On OS flaws? I don't really see that. I'd say, recently
less than 20, not including the variants, of course (.a, .b, .c, etc).
What number do you have in mind?
The complexity of the problem when the software is not so easily
Well, you and I will have to disagree, I guess. I think if we were
talking about *firewalls*, I would be more inclined to say you and I are
on the same page.
While I disagree with your estimate of the percentage of malware that
would disappear with a more secure OS, thus eliminating the need for AV,
I do agree you could kill the market for AV if you eliminated 99% of
those who have access to computers <bg>. Malware is really a people
problem; people write it, people let it have access to their systems and
people have have to deal with it. The most secure OS you can come up
with is going to have someone administering it and someone using it.
That's sort of where things tend to break-down.
F
FromTheRafters
BoB said:
If that is what you think that was, then okay.
....but I think it was a reference to F-Prot for DOS not
supporting XP's NTFS and the difficulty in finding a
suitable maintenance environment for use on that OS
and filesystem.
N
null
I think there's some general agreement that the term "malware" (for
malicious software) is a catch-all term that includes at least all the
stuff that modern antivirus scanners are designed to detect.
Art
http://www.epix.net/~artnpeg
J
JT
Trojans are programs that are disguised as something else. Don't have to
replicate themself, although trojans are often virus. Backdoors don't even
have to be a separate program. They are a way to bypass normal security
restrictions. Could be a hidden password such as is coded into many BIOS,
and was left in some systems for "maintenance" access. Some virus install
backdoors. The virus part of the program used a weakness to infect and
replicate itself.
No recent virus is not Malware, even those that claim to be virus killers.
JT
J
JT
A proper security model doesn't let a program access outside of a limited
set of areas. A proper security model may no keep the virus from being part
of another program, but can make difficult, if not eliminate the
replication part of the process. Most people are so accustomed the wide
open model of windows, that concepts like executables needing to be in
certain places to run, files execution being determined by security
permissions instead of just names, etc. are overlooked. Access control
lists, etc. are just becoming available for the masses.
Not true. Useful machines with proper security models have been available
for years. They are still doing useful work. A word processor doesn't need
to create executable files. Games don't need to write to files not part of
the game or in the game directory tree.
A general purpose computer means a machine that can be programed for
virtualy unlimited purposes. That doesn't mean that every program on the
machine should have unlimited access to that capability. Most programs
should be limited in what they can access and the functions they perform.
Having system files read only or execute only doesn't reduce their
usability. Memory protection, which limits the memory a program can use, is
necessary for multiprogramming systems. Making parts of the file system off
limits to average programs does not reduce the ability of a machine to be
useful. Limiting the capability of generating an executable to a very
limited set of programs and circumstances doesn't limit the ability of user
to run programs.
JT
K
Kelsey Bjarnason
[email protected] said:
Really. So why is it that when I run Linux, I don't worry about
viruses? Let's compare something as simple as an e-mail. The default
Windows tool _automatically executes code_ in the email. Behind the
scenes. Without so much as asking. Or warning. Or telling you how
mind-numbingly stupid it is to do this.
Well, fine, okay... as long as that code is well and truly sandboxed off
from the rest of the system, that's okay. It is, right? Umm... I'm not
aware of any assurances of that.
So, right there, we've got one boneheaded design. Here's another. I'll
send you a file, it shows up as "file.jpg". The mail says "look at the
pretty picture". If you've been on the web any length of time, you
probably realize a .jpg is an image file - should be safe, right?
Wrong. First, it's not file.jpg, it's file.jpg.exe - but MS, in their
infinite stupidity, chose to hide file extensions. Well, hell, that's
okay, not like it matters. See, as long as they don't compound their
stupidity by doing anything so unbelievably risky as executing code
simply because its filename says to execute it, that wouldn't matter.
Oh, whoops... they do. It's a .EXE file. Which means it executes. All
the user needs do is say "open attachment" - or, with appropriate
updates, save then double-click it.
Know what happens when someone sends me an executable attachment in
Linux? I save it, I double click it and... hmm; there it is, loaded up
in my text editor. Why? Because the default action for unknown file
types is to run the editor... and since the file, despite being a .out
or a .bin or a .sh or whatever, *is not an executable* - the execute bit
has not been set locally.
So, you send me file.jpg.sh on my Linux box, first I can *see* that it's
a .sh file, not a .jpg, and second, if I do try to run it, it doesn't
run anyway.
Simple, isn't it? Except that MS's ideas on file security are about
those of an old whore's ideas on sex - promiscuous doesn't begin to
describe it.
They _could_ have mimicked the *nix mechanism of requiring an execute
bit - a bit which needs to be set locally and manually, at least for
things other than full install packages, locally compiled binaries, etc.
The example was there before Windows was, even before DOS, so no excuses
there. The "innovation" of rendering HTML mails _at all_, let alone
with effectively unsecured scripting thrown in, is about as stupid a
desgin decision as one could make if *paid* to make soemthing unsafe.
But, hey, the worst that's going to happen is that the user will maybe
muck up his own files, right? Nope. First, MS makes absolutely no
attempt at install time or runtime to warn the user that "running as
root" is both dangerous and stupid. IIRC, XP even goes so far as to let
you run as root without a password - I can't begin to tell you how much
confidence that gives me. But, having failed to do this - warn you - it
thus leaves the entire system open to infection, attack, etc, rather
than just your files. Sure, escalation-of-privilege attacks can still
occur, but at least it'd give _some_ challenge to the intruder.
MS doesn't stop there, though. Nope, despite all that, your system
isn't nearly vulnerable enough. What else could they do? Oh, yes...
how about RPC and Windows File Sharing enabled by default if you have
network support? Never mind if you're actually on a LAN where it might
make sense to have such things, no, we'll open 'em up to the whole
frigging world the second you use a NIC-based internet connection. It
may even happen with dialup... don't recall.
Well, that's okay, I mean, they do bundle a firewall, right? One that's
enabled by default, blocking all inbound connections until explicitly
told not to? Nope. Until XP, they didn't include firewalling at all,
and with XP, you pretty much have to already know it's there and then go
hunting for it if you want to find it - and there's not a heck of a lot
of help during the configuration of it.
So... where's that leave us? Let's recap:
1) No firewalling
2) Unnecessary services open to the world
3) Users generally run as "root"
3b) ... often without even a password
4) Mails, HTML files, etc, merrily run scripts in the background, with
little expectation of them doing so safely
5) File extensions are hidden by default, but...
6) ... it is the file extension that defines whether something is
executable, leading to...
7) If you click it, it will run. Even if it claims to be a .jpg.
Now a lot of this could be remedied fairly simply. Don't run as root,
for starters. Toss OE and IE, etc, on the scrap heap. Replace them
with a slightly more reliable toolset. Except you can't. Oh, sure, you
can run Mozilla instead of IE... but you can't get rid of IE; the whole
flippin' system depends on it. So any issues IE has - and let's face
it, IE is a sieve - end up also being issues for everything else that
relies on it. Yes, certain updates allow you to "remove" IE... except
they don't; the core evilness is still there, all that's gone is the web
browser interface component. Big whoop.
MS relies heavily on "integration" - making various things work with
each other. That's fine and good and all, and it's a good idea... but
if you can't replace components even when they're found to be not merely
bad but actively dangerous, this integration ceases to be good and
starts to be a really, really, really bad thing. And anyone who says IE
isn't actively dangerous hasn't been paying attention.
But let's top this off with some other MS follies. NT4. Nice little
system, right? Then why did MS admit that NT4 was effectively
impossible to fix in relation to the various security issues they were
having with it? Why can't they fix shatter? Why is it that a flippin'
web page can cause a file to be installed and executed locally, with all
the privileges of a local file - i.e. the ability to do anything *you*
can do? Oh, right; because MS can't code their way out of a wet paper
bag.
Now note... not *one single item* of this entire list applies to Linux.
Or Unix. Or the various BSDs. Or VMS. Or... well, you get the point.
The virus, attacking such systems, has *none* of these points of entry,
with the sole exception - if enabled - of javascript support for web
pages - and even that is well protected from doing anything particularly
damaging.
Why don't these problems exist in other OSen? Because those OSen were
designed and written by people who care about security and are actually
competent to develop such code. MS has repeatedly yammmered on about
their "Most trusted Windows ever" and their "Security initiative" and
whatever else... but they keep right on delivering the same tired old
crap.
So no, if Microsoft wrote "flawless code", these problems simply would
not exist, or at least, not in the form they do now. Linux, for
example, has had a few viruses. Despite the relative ease of finding
Linux machines to attack, though, they never get very far. Why?
Several reasons. First, the entire infrastructure is better designed.
Second, while many things are "integrated" in the sense of being able to
use various components to get things done, those components can be
changed. Third, because it almost invariably requires a manual step to
turn something from a simple data file into an executable, a step which
doesn't change just because the file has a special name.
Oh, and fourth, because on those systems, serious security risks are
almost invariably fixed within hours, or at most days, of becoming
known. MS has been known to let *critical* vulnerabilities exist for 90
days and more after being identified. Not a good record for a company
that supposedly cares about security.
Oh, and a final note.
One thing that really separates Windows from Linux is updating. Let's
be honest, here... while MS's approach to security is about like trying
to wipe up the ocean with a sponge, they are not the only company
producing vulnerable software for Windows. Hell, given the half-baked
framework MS provides, it's virtually guaranteed that a non-trivial
application will have at least one potential way to hijack it for
malicious purposes.
So... when I get my list of updates, all graciously provided by
Microsoft in their lovely little "windows update" tool, I *do* get a
listing of all the security updates of all those other products, too,
right?
Wrong. Hell, I don't even get Microsoft's *own* product updates listed.
To get updates for Office, for example, I have to use a different tool.
And for updates to, oh, Corel or Mozilla or whomever else, I have to use
their tool, or go to their website, download the update and install it
myself.
Linux? I get a single unified approach that updates virtually _all_ my
software. For example, in Debian, from a root shell, I'd do the
following: apt-get update && apt-get upgrade and voila; instant updates
to all the installed apps. In Mandrake, there's a nifty little GUI tool
that lets me choose between bug fixes, security updates or general
updates, so I can, if I want, with a couple of mouse clicks,
automatically download, install and apply all the security fixes for 200
or more applications.
Could Microsoft do something like this? Sure they could. If they knew
Office had a hole, they could include it in the update list. If Corel
told MS "Draw 9 has a hole... here's the URL to the patch file", MS
could bundle that along with the rest. And so on. They go out of their
way to include this wonderful little tool to warn you about critical
security updates... then promptly ignore the vast majority of such
updates, *even from their own applications*.
Nope, any way you slice it, the entire mess that is today's internet,
with all the viruses, worms, spam zombies, trojans and the like, is
*directly* and *totally* a result of Microsoft's either not caring about
security, or being incompetent to actually provide security. Or both.
So what's their latest move? Did they decide to fix the OS? Did they
decide to develop a framework in which security was actually a core
component? No... they chose instead to pass the buck to the hardware
vendors. With the new "Trusted Computing" approach, it comes down to
the _hardware_ being relied on to protect things, because MS can't write
software well enough to do the job. Other OSen don't need this sort of
hand-holding; why does Windows? Right, it's because of Microsoft's
stellar record on producing flawless code with a critical eye to
security measures.
So yes... that entire 2 billion a year industry, plus all the damages
done - estimates range from a low of 20 billion to well over 200 billion
in lost data, downed servers, network outages, etc, etc, etc, - all lies
squarely on Microsoft's shoulders. That users are willing to _pay_ for
such a disaster boggles the mind.
PS. You'll note I'm posting from a Windows-based news client. I'll
point out two notes about that. First, I didn't pay for Windows;
Microsoft sent me my Windows free of charge, in return for various
things I recommended to them. Second, my Windows boxes live behind a
Linux box that, among other things, scans mails, web pages and the rest
for potentially malicious content. This drastically reduces the risks
and, since it also acts as a firewall, the Windows box is that much more
secure. Ain't it funny, though... this flagship product of a multi-
billion dollar empire being protected by a free product tossed together
by a pack of volunteer hacker types. Yet we're supposed to believe it
ain't Microsoft's fault. Bah.